Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).
Over the past several months, we've noticed a growing number of "all-in-one" webmail phishing sites using Google Docs or Google Drive as bait. More than 1,700 are active as of this posting, many of which have been up for months.
Earlier this week, the members of the FFIEC issued guidance to financial institutions regarding the steps they should take to mitigate the risk of DDoS attacks. It's interesting that they now "expect each financial institution to address DDoS readiness." This isn't news for the big institutions, but many community banks and credit unions should take note and re-evaluate their DDoS risk accordingly.
Incapsula reports that a cross-site scripting (XSS) flaw on the site of one of the web's top video content providers was exploited to turn more than 22,000 users into unwilling DDoS bots. The flaw allowed the attacker to put malicious code in the the <img> tag associated with a profile image, which executed every time a visitor's browser loaded the page. Using this method, the attacker posted comments on popular videos to rapidly create a huge botnet of hijacked browsers.
- Cyber Criminals Operate On A Budget, Too (DarkReading)
Websense published their 2014 Threat Report this week, reaffirming that there's a (un)healthy market for cybercrime tools and that cybercriminals care more about the ends (the money) than the means (the attack tool). Phishing is a great case in point. No need to use a cruise missile when a bullet gets the job done.
Pen tester Shubham Shah posted a flaw in Bitcoin wallet service Coinbase that will likely mean a spike in phishing attempts targeting users of the service. Coinbase has a feature allows an individual to send unlimited money requests without restriction, which can be abused to enumerate and validate user email addresses.